From 251c1b1788a2568af4cb667f687eedd4e1e21bd9 Mon Sep 17 00:00:00 2001 From: Joyee Cheung Date: Fri, 29 May 2020 20:38:12 +0800 Subject: [PATCH] deps: V8: backport ea0719b8ed08 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Original commit message: [snapshot] Do not defer ArrayBuffers during snapshotting ArrayBuffer instances are serialized by first re-assigning a index to the backing store field, then serializing the object, and then storing the actual backing store address again (and the same for the ArrayBufferExtension). If serialization of the object itself is deferred, the real backing store address is written into the snapshot, which cannot be processed when deserializing, leading to a crash. This fixes this by not deferring ArrayBuffer serialization and adding a DCHECK for the crash that previously occurred. Change-Id: Id9bea8268061bd0770cde7bfeb6695248978f994 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2144123 Commit-Queue: Jakob Gruber Reviewed-by: Dan Elphick Cr-Commit-Position: refs/heads/master@{#67114} Refs: https://github.com/v8/v8/commit/ea0719b8ed087d1f511e78595dcb596faa7638d0 PR-URL: https://github.com/nodejs/node/pull/33300 Refs: https://github.com/v8/v8/commit/bb9f0c2b2fe920a717794f3279758846f59f7840 Refs: https://github.com/v8/v8/commit/22014de00115dae09ae3d4a6c3a9f178d5495ef2 Refs: https://github.com/nodejs/node/issues/17058 Reviewed-By: Jiawen Geng Reviewed-By: Michaƫl Zasso --- common.gypi | 2 +- deps/v8/src/snapshot/deserializer.h | 1 + deps/v8/src/snapshot/serializer-common.cc | 9 ++++++++- 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/common.gypi b/common.gypi index 3afe3c133f8d0f..6f0866dd57093d 100644 --- a/common.gypi +++ b/common.gypi @@ -36,7 +36,7 @@ # Reset this number to 0 on major V8 upgrades. # Increment by one for each non-official patch applied to deps/v8. - 'v8_embedder_string': '-node.14', + 'v8_embedder_string': '-node.15', ##### V8 defaults for Node.js ##### diff --git a/deps/v8/src/snapshot/deserializer.h b/deps/v8/src/snapshot/deserializer.h index 62814a881ae9e3..c09c589633c601 100644 --- a/deps/v8/src/snapshot/deserializer.h +++ b/deps/v8/src/snapshot/deserializer.h @@ -107,6 +107,7 @@ class V8_EXPORT_PRIVATE Deserializer : public SerializerDeserializer { } std::shared_ptr backing_store(size_t i) { + DCHECK_LT(i, backing_stores_.size()); return backing_stores_[i]; } diff --git a/deps/v8/src/snapshot/serializer-common.cc b/deps/v8/src/snapshot/serializer-common.cc index 9218d4eaa92969..46b8e36e9c64a9 100644 --- a/deps/v8/src/snapshot/serializer-common.cc +++ b/deps/v8/src/snapshot/serializer-common.cc @@ -125,7 +125,14 @@ void SerializerDeserializer::Iterate(Isolate* isolate, RootVisitor* visitor) { } bool SerializerDeserializer::CanBeDeferred(HeapObject o) { - return !o.IsString() && !o.IsScript() && !o.IsJSTypedArray(); + // ArrayBuffer instances are serialized by first re-assigning a index + // to the backing store field, then serializing the object, and then + // storing the actual backing store address again (and the same for the + // ArrayBufferExtension). If serialization of the object itself is deferred, + // the real backing store address is written into the snapshot, which cannot + // be processed when deserializing. + return !o.IsString() && !o.IsScript() && !o.IsJSTypedArray() && + !o.IsJSArrayBuffer(); } void SerializerDeserializer::RestoreExternalReferenceRedirectors(